For anyone wondering, it's because SHA-1 has been proven vulnerable to hash collisions, meaning 2 matching signatures can be generated from entirely different inputs. So the alien is right, you shouldn't..